Millions of Airbnb users exposed to hijacking due to its phone number recycling policy


Hackers can easily hijack Airbnb accounts by creating a new account with a phone number that in the past belonged to another Airbnb customer

Airbnb is a vacation rental online marketplace which very popular in the Americas and Europe. Airbnb offers users to connect with renters for lodging, primarily homestays, or tourism experiences. However, a flaw in the way Airbnb registration happens could be used to hijack Airbnb accounts.

The flaw was discovered by a Security Week reader, Maya who found that she easily hijack another Airbnb account by creating a new account and adding a phone number that in the past belonged to another Airbnb customer.

Airbnb is not the first service to be vulnerable due to its recycled phone numbers flaw. Over the years many service providers have been affected by this very vulnerability. Maya says she found out that Airbnb lets anyone hijack a user’s account just by using a recycled number when her husband accidentally signed into another user’s account when trying to create an Airbnb account.

After entering his phone number during the account registration process, Maya’s husband received a 4-digit code via SMS that, when entered, resulted in him being logged into the account of the previous owner of his phone number. Maya’s husband could access an account belonging to a woman from North Carolina and view her profile which included her photo, email address, phone number, and other personal information. What makes this flaw doubly dangerous is that the account Maya’s husband accessed had a valid payment card attached. In the wrong hands, the payment card may be used to make bookings using the victim’s card.

Maya reached out to Airbnb but they were less enthusiastic about patching the flaw. They said that very few Airbnb customers were affected by the flaw and Maya should register for a new Airbnb account using a different phone number. The company told here that every Airbnb account is secured and can only be accessed by the legitimate account holder. However, Maya’s experience tells a different story.

Airbnb may not be able to fix this recycled phone number flaw but it should at least notify users through email if somebody logs on to their Airbnb accounts.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments